CVE-2016-8685

Priority
Low
Description
The findnext function in decompose.c in potrace 1.13 allows remote
attackers to cause a denial of service (invalid memory access and crash)
via a crafted BMP image.
References
Notes
 tyhicks> inkscape in xenial and earlier embeds libpotrace (LP: #1156664)
 tyhicks> Sourceforge link returns a 404. See Debian updates for the fix.
 mdeslaur> potrace in inkscape works on bitmaps already loaded, not
 mdeslaur> arbitrary images. Marking as not-affected for inkscape.
Package
Upstream:released (1.13-3)
Ubuntu 17.10 (Artful Aardvark):not-affected
Ubuntu 12.04 ESM (Precise Pangolin):DNE (precise was released [1.10-1+deb7u2build0.12.04.1])
Ubuntu 14.04 LTS (Trusty Tahr):needed
Ubuntu Core 15.04:DNE
Ubuntu 16.04 LTS (Xenial Xerus):needed
Ubuntu 17.04 (Zesty Zapus):not-affected (1.13-3)
Patches:
Upstream:http://potrace.sourceforge.net/patches/potrace-1.13-CVE-2016-8685.patch
Package
Upstream:needs-triage
Ubuntu 17.10 (Artful Aardvark):not-affected (code not present)
Ubuntu 12.04 ESM (Precise Pangolin):DNE (precise was not-affected [code doesn't contain the flaw])
Ubuntu 14.04 LTS (Trusty Tahr):not-affected (code doesn't contain the flaw)
Ubuntu Core 15.04:DNE
Ubuntu 16.04 LTS (Xenial Xerus):not-affected (no attack vector)
Ubuntu 17.04 (Zesty Zapus):not-affected (code not present)
More Information

Updated: 2017-08-17 13:14:13 UTC (commit 13118)